After nearly two years, the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. You may think by the name that if you’re a business outside the state of California, it doesn’t affect you, but you’d be wrong.
CCPA defines covered entities as doing business in the state of California and that satisfy one or more of the following thresholds:
- Gross revenue in excess of $25 million
- Receives personal information on 50,000 or more consumers
- Derives 50 percent or more annual revenue from selling consumers’ personal information
For businesses that operate outside the state of California, the privacy regulation will affect those that conduct business over the Internet, collect consumer data and meet one of the above thresholds. This consumer data, such as name or buying habits, has been a hot commodity for years—bought, sold and used by businesses without the public’s knowledge.
With the passing of this new regulation, businesses must now notify consumers whenever their personal information is collected. In addition, they must also tell them why it’s being collected and offer the option to not only opt-out of the collection process but delete the information collected as well.
Your Company’s Role in CCPA
CCPA is a challenging regulation because it’s not just about being compliant and keeping your customers informed. If you are a covered entity, CCPA can affect numerous departments in your company including IT, cybersecurity and vendor risk management if your data is stored or handled by a third party.
In order to comply with consumer rights under this regulation, your company will need to implement new protocols for collecting and handling personal data, whether it resides on your own servers or those of a third party. For example, according to the CCPA guidelines, you’ll need permanent opt-out and data deletion protocols for handling personal data that is: “subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.” (1798.100. S-3)
As you adopt these CCPA requirements, make sure you’re assessing your vendors so you can scale your vendor risk management program. If your data is handled by or stored with a third-party vendor, your company should consider a technology platform that incorporates a CCPA component.
The Consequences of Non-Compliance
If a covered entity fails to implement safeguards to protect consumer data, resulting in a data breach, this violation of the CCPA can result in a lawsuit. Affected consumers are entitled to not less than $100 and not more than $750 per consumer per incident or actual damages, whichever is greater, plus any other relief the court deems necessary due to damages incurred.
According to the HIPAA Journal, the global average cost of a data breach increased to $3.92 million in 2019. The average breach size is 25,575 records and the cost per breached record is $150. Add to this $750 per consumer affected and that number could rise by more than $19 million.
Complete this form for a demo to see how CCPA regulations can easily be incorporated into your vendor risk management program.